On Thu, Feb 16, 2023 at 09:44:55PM +0100, Heiko Schlittermann via Exim-users wrote:
> > Is it at all possible with OpenSSL to stop the "system" location from > > being checked? If not, that seems to make the use of TLS for client > > authentication impossible because any certificate presented by > > e.g. Google will pass verification. Am I reading this correctly? > > IMHO it shouldn't be sufficient accept any client that just has a > verified certificate ("authenticated"). You should check, if the client > is "authorized", by checking required certificate attributes (issuer, > subject, …) > Some applications (want to) only accept client certificates issued by a dedicated non-public CA, which amounts to an authorisation server. If the CA gave you a cert, you're an authorised user of the application until the cert expires (or is revoked, if the server application has access to timely CRLs, ...) They drank the PKI coolaid. I don't recommend this design. Often simpler to just use a list of authorised public keys instead. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/